Firewall choice quiz
This will get a lot of different response... I have a question to pose and I want responses that have meat to back it up... The best Linux distro to base a first line of defense against the wild and wooly?
Here goes: I want to build a secure system, a firewall in itself, netfilter, it will be an exposed system. Linux is of course my OS of choice, but which distro is the most inherently secure overall? I am currently leaning toward CentOS because of its functionality and stability, then hardening it to do the job. Throw some opinions at me... The current CentOS kernel is 2.6.18. Best is 2.6.31 vanilla stuff as of this writing. Not bad I guess... IPtables is 1.4.5 which I downloaded and compiled on my test system. If you were building a first line of defense what would you do? Thanks all for your advice. ->xxon |
If it's just a firewall, I'd go with one of the firewall-leaning distros.
The problem with this question is that it's mostly irrelevant which is most secure by default, since you're not going to run a default system. And once you've configured the system, it's mostly irrelevant which one you started with. The best one is the one you can most easily and most reliably secure. </cop out> |
Agreed. My goal is to create a secure system that can withstand attack (constant) from the wild. It has to be secure and at least promise prevention (lost cause). So, overall, is there a version of Linux with that built in? Open ports are always a hazard but necessary.
|
I would stay away from centos. They have been slipping on there security patches. 1 1/2 months after the red hat release for some recent patches. Long story why.
if you want a firewall based distro there are many options. IPCOP, smoothwall, clarkconnect, engrade, etc. here is a list of a majority of them http://en.wikipedia.org/wiki/List_of..._distributions |
I haven't tried it yet, but I came across this while doing a search for security-focused versions of Linux:
"Owl", -- a security-enhanced server platform. http://www.openwall.com/Owl/CONCEPTS.shtml "Owl" (or "Openwall GNU/*/Linux"; please, note that only the "O" is capitalized in either case) is a security-enhanced operating system with Linux and GNU software as its core, compatible with other major distributions of GNU/*/Linux. It is intended as a server platform. And, of course, it's free. Owl combines several approaches to reduce the number and/or impact of flaws in its software components and impact of flaws in third-party software that one might install on the system. The primary approach used is proactive source code review for several classes of software vulnerabilities. However, because of the large amount of code, there's a certain level of "importance" for a software component or a part thereof to be audited. Currently, only pieces of code which are typically run with privileges greater than those of a regular user and/or typically process data obtained over a network are audited before the corresponding software component is included. This covers relevant code paths in many of the system libraries, all SUID/ SGID programs, all daemons and network services. Other software may be audited when it is already a part of Owl. Potential problems found during the audit are fixed or, in some pathological cases, may prevent the software component from being included. In general, code quality and privilege management are always considered when there's a choice between implementations of a feature. As the project evolves, many of the software components will be replaced with ones of our own. When packaged for Owl, the software components are configured or, when necessary, modified in order to provide safe defaults, apply the least privilege principle, and introduce privilege separation. The use of safe defaults, where optional and potentially dangerous features need to be turned on explicitly, lets us audit the pieces of code used in in the default configuration in a more thorough way. Extra systems administration facilities ("owl-control") are provided for managing system features such as the optional SUID/SGID binaries independently from installing the corresponding packages. Every Owl package will have its audit status documented to allow for risk assessment. |
Quote:
Quote:
|
Quote:
Nobody has approached it from this angle, so let me throw in the possibility of a distro geared for security from the get-go; Untangle Server. I have heard that the Untangle Server is like an open source equivlent of a SonicWALL appliance minus the crypto enhancement chip. You get a lot of preconfigured functionality that's installable from an ISO. You can recompile or enhance any functionality, but this was made for use as a first-line-of-defence gateway. http://www.untangle.com/Downloads/Download-ISO |
Quote:
Vyatta is based on Debian, is well documented, and has an active community involvement. Check it out... |
All times are GMT -5. The time now is 04:24 PM. |